Replies: 1 comment 2 replies
-
|
Looks like you have some custom configurations that might have caused some issues. Did all the 2.4.70 docker images get pulled and pushed to the registry? What does If you have the |
Beta Was this translation helpful? Give feedback.
-
|
I restored from a backup to 2.4.6 and tried to update to 2.4.7 again I am still having the same issue where suricata is shown missing when I run "so-status" on my Sensor Node. Looking in the log for errors, this is the errors that come up: ID: surirulesync ID: so-suricata ID: seconion-manager-node:5000/custom/rita ID: so-mongo |
Beta Was this translation helpful? Give feedback.
-
|
It looks like you've added some third-party software which we don't support: The quickest and easiest solution may be to perform a fresh installation of 2.4.80 and avoid third-party software: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.70
Installation Method
Security Onion ISO image
Description
upgrading
Installation Type
Distributed
Location
airgap
Hardware Specs
Exceeds minimum requirements
CPU
6 for senor and 8 for Manager
RAM
16GB for Sensor and 32GB for Manager
Storage for /
6TB for Sensor and 750GB for Manager
Storage for /nsm
4.7TB for Sensor and 435GB for Manager
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
No, one or more services are failed (please provide detail below)
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
Suricata is no longer running after I updated from 2.4.6 to 2.4.7.
I am running Security Onion Distributed in an Air Gap Environment. In addition to the Manager, I have two Sensors getting data or traffic from a Span port, two Search Nodes, and one IDH.
After I ran "sudo soup" on the Manager to update from 2.4.6 to 2.4.7 it completed with several errors.
Errors seen:
Soup failed with error 1: Unhandled error. This was the final output on screen after the update and it stated that there were 10 "False" Results that were supposed to be "True"
I rebooted all the Nodes after the update. Prior to rebooting, I did an so-status and Suricata was running the uptime was 6 weeks while the other services stated 12mins uptime (which is from the time of the update). I logged on the SOC and it stated to reboots nodes that were listed in the Grid. After the reboot, when I do a "so-status" on the Sensor nodes it states: "So-Suricata is missing" but all other services is running.
The 10 False errors are as follows (4x on the Senor related to Suricata and 6x on the Manager related to Elasticsearch:
These are the errors I saw in the logs after the update, the first 4 errors listed are seen after running "so-checkin" on the Sensors or Salt High-state on the Manager:
SENSORS & MANAGER (4x Errors (Result: False) labeled A thru D):
A. ID: surirulesync
Function: file.recurse
Name: /opt/so/conf/suricata/rules/
Result: False
Comment: Recurse failed: none of the specified sources were found
B. ID: so-suricata
Function: docker_container.running
Result: False
Comment: One of more failed: suricata.config.surirulesync
C. ID: seconion-manager-node:500/custom/rita
Function: docker_image.present
Result: False
Comment: Encountered error pulling seconion-manager-node:5000/custom/rita:latest: Error 404: manifest for seconion-manager-node:5000/custom/rita:latest not found: manifest unknown: manifest unknown
D. ID: so-mongo
Function: docker_container.running
Name:
Result: False
Comment: Failed to pull seconion-manager-node:5000/custom/mongo:4.2: Error 404: manifest for seconion-manager-node:5000/custom/mongo:4.2 not found: manifest unknown: manifest unknown
THESE ERRORS WERE SEEN ON THE JUST THE MANAGER ONLY (6x Errors (Result: False) labled A through F):
A. ID: so-elasticsearch
Function: docker_container.running
Result: False
Comment: Failed to pull seconion-manager-node:5000/security-onion-solutions/so-elasticsearch:2.4.70: Error 500: manifest for seconion-manager-node:5000/custom/mongo:4.2 not found: manifest unknown: manifest unknown
B. ID: so-es-cluster-settings
Function: cmd.run
Name: /usr/sbin/so-elasticsearch-cluster-settings
Result: False
Comment: One or more requisite failed: elasticsearch.enabled.so-elasitcsearch
C. ID: so-elasticsearch-ilm-policy-load
Function: cmd.run
Name:/usr/sbin/so-elasticsearch-ilm-policy-load
Result: False
Comment: One or more requisite failed: so-elasticsearch-ilm-policy-load
D. ID: so-elasticsearch-templates
Function: cmd.run
Name: /usr/sbin/so-elasticsearch-templates-load
Result: False
Comment: One or more requisite failed: elasticsearch
Name: /usr/sbin/so-elasticsearch-pipelines seconion-manager-nodeenabled.so-elasticsearch
E. ID: so-elasticsearch-piplelines
Function: cmd.run
Name: /usr/sbin/so-elasticsearch-piplelines seconion-manager-node
Result: False
Comment: One or more requisite failed: elasticsearch.enabled.so-elasticsearch
F. ID: so-elastic-roles-load
Function: cmd.run
Name:/usr/sbin/so-elasticsearch-roles-load
Result: False
Comment: One or more requisite failed: elasticsearch.enabled.so-elasticsearch
I've search and have not found anything that helps. Is anyone else having a problem after the 2.4.7 update? Does any of this makes sense to anyone?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions